MRW
http://piratenpartei.ch

Piratenpartei Zürich
PC 85-112704-0

Der Politnetz Auftritt von Marc Wäckerlin Im Politnetz unterstützen

Marcs Computerblog

Remove All Old Kernel Images in Ubuntu

The Problem

Unfortunately sudo apt-get --purge autoremove does not remove old unused kenel images. This often results in a full /boot partition, especially on systems with small /boot and encrypted root /.

The Solution

It is simple to remove all old images, but keeping the running one. For your comfort and safety, please upgrade your system, then reboot before you execute this command to make sure, the latest kernel is installed and running.

Remove all but the running kernel images:

sudo apt-get autoremove --purge 'linux-image-[0-9].*' linux-image-$(uname -r)+

Please check the list of images to be removed before you accept and make sure at least one image is installed before you reboot.

You can see a list of all existing packages whose name start with linux-image using the command dpkg -l 'linux-image*'. The packages with ii in front are installed.

If you have installed headers too, you can repeat the command by replacing image with header:

sudo apt-get autoremove --purge 'linux-headers-[0-9].*' linux-headers-$(uname -r)+

If you get an error, make sure you are running the current kernel version, i.e. upgrade then reboot.

Background Knowledge

The plus (+) sign behind a package name inverts the meaning and installs the package instead of uninstalling it, so here, the plus keeps the running kernel version. The uname command is there to find your actual kernel package version and type (here 3.2.0-32-generic). Actually on my system here, the uname commands would expand the above line to:

sudo apt-get autoremove --purge 'linux-image-.*' linux-image-3.2.0-32-generic+

Root Asus Transformer T101G ICS on Linux

To get root on Asus Transformer T101G ICS, there are some Windoze-batch files around, but running that file first only works on Windoze, not on Linux and second you don't know what happens.

Sources: The expolit is known as «miloj TF300 exploit» and I got my information by analyzation of http://forum.xda-developers.com/showthread.php?t=1689193, but a better explanation and simpler approach is at http://forum.xda-developers.com/showthread.php?t=1704209.

Preparations

Precondition: You must install the Android SDK for Linux to get the tool adb. Mine is in stalled in ~/android-sdks/platform-tools/adb, so on a shell in a terminal, I define an alias to be able to call adb without having to set the full path or to change the $PATH variable:

alias adb=/home/marc/android-sdks/platform-tools/adb

Now adb calls /home/marc/android-sdks/platform-tools/adb and passes the parameter, but in only this shell.

An your Andorid, in the settings, section developer you must enable debugging.

If you are successful, then the command adb devices lists your device.

Check Android Version

Android must be in Version ICS 4.0.xxx, otherwise forget it.

Check it, the following command must give a version number, that starts with 9:

adb shell getprop ro.build.version.incremental

I get WW_epad-9.2.2.6-20120525 which is perfectly fine.

The Hack

Call adb shell, then call:

mv /data/local/tmp /data/local/tmp.bak
ln -s /dev/block/mmcblk0p1 /data/local/tmp

That removes /data/local/tmp and fakes a new temprary dir, that points to /system (note device /dev/block/mmcblk0p1 is mounted to /system).

If everything was correct, ls -l in /data/local now shows:

shell@android:/data/local $ ls -l
lrwxrwxrwx shell    shell             2012-08-20 14:23 tmp -> /dev/block/mmcblk0p1
drwxrwx--x shell    shell             2009-01-01 02:31 tmp.bak

Now press ctrl-D or call exit to quit the adb shell and reboot the device:

adb reboot

Now wait for the device to reappear:

adb wait-for-device

Download the files su, debugfs and push them to your Android by typing: <source bash> adb push su /data/local; adb push debugfs /data/local; </source>

Start a shell on your android device calling adb shell, then enter:

cd /data/local
chmod 755 debugfs

This makes debugfs executable.

Now use debugfs and the faked link to copy su into /system/xbin/su:

/data/local/debugfs -w /data/local/tmp
debugfs: cd xbin

At this place, if you previously installed su, remove it first:

debugfs: rm su

If you call rm su but have not installed it, you get an error message here, simply ignore it.

debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit

Stay in adb shell and cleanup:

cd /data/local
rm tmp su debugfs
mv tmp.bak tmp

Leave adb shell by hitting ctrl-D or typing exit and reboot once more:

adb reboot
adb wait-for-device

Now you're the master of your device, call adb shell then test if you can get root:

adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit
$ exit

Now immediately disable USB-debugging and install Superuser from the market.

Combine SSH Public-Key and LDAP on Ubuntu

The idea is, that OpenSSH reads authorized_keys for public-/private-key login not from ~/.ssh/authorized_keys, but directly from an attribute in LDAP.

The first implementation was the LPK patch: http://code.google.com/p/openssh-lpk. Unfortunately, that project is not actively maintained (as of 08/2012) and the OpenSSH maintainer refuse to introduce the patch upstream. Even though it's the simplest and most straight-forward solution.

The next try was to add a configuration option AuthorizedKeysCommand to sshd_config which passes not a file, but a helper command to get the authorized keys. There is a ticket OpenSSH, but unformtunately here also, e-mail adresses are outdated, the OpenSSH maintainers are sleeping and nothing happens: https://bugzilla.mindrot.org/show_bug.cgi?id=1663. At least RedHat has integrated the patch into Fedora, but Ubuntu refuses to do so: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/911747.

So I got the two patches, integrated them into the current openssh-server package and offer them to be installed through my Ubuntu repository1).

Install from Ubuntu Repository

Configure apt to use my repository:

wget -O- http://dev.marc.waeckerlin.org/repo/PublicKey | sudo apt-key add -
sudo apt-add-repository http://dev.marc.waeckerlin.org/repo
sudo apt-get update

You can then choose your preferred implementation:

sudo apt-get install openssh-lpk-server

or

sudo apt-get install openssh-akc-server

Configuration

You can manage the users and their keys with the LDAP Account Manager (LAM), it has been extended to support the SSH key addition.

On your LDAP host you must add a schema for the SSH keys.

Create file publickey.ldif:

dn: cn=openssh-lpk_openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk_openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $
 uid ) )

Load the file publickey.ldif into LDAP (if you use the new cn=config configuration):

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f publickey.ldif

Then in LAM server profiles add module ldapPublicKey to user modules.

Check if everything is setup correctly. For this you can use the schema tests in LAM: toolstestsschema-test should show the SSH key extension with no associated problem.

The AuthorizedKeysCommand (AKC) Patch

I downloaded the patch from https://bugzilla.mindrot.org/attachment.cgi?id=2083 and resolved the conflicts with other Ubuntu patches, so here is the patch that can be applied to the Ubuntu sources: openssh-5.9p1.ubuntu.akc.patch

You then need a good command to get keys from the LDAP host.

I use the following configuration:

Changes in /etc/ssh/sshd_config

In file /etc/ssh/sshd_config, I change and add the following lines:

PermitRootLogin no
PasswordAuthentication no

AuthorizedKeysCommand /etc/ssh/ldap-keys.sh

The first two lines increase security, the last line enables the new feature.

New LDAP-Authorizaton Script /etc/ssh/ldap-keys.sh

As command to read the keys from LDAP, I use a new script /etc/ssh/ldap-keys.sh2), which evaluates the definitions in /etc/ldap.conf3) and uses the same definitions:

#!/bin/bash
 
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do 
    eval $x; 
done
 
OPTIONS=
case "$ssl" in
    start_tls) 
	case "$tls_checkpeer" in
	    no) OPTIONS+="-Z";;
	    *) OPTIONS+="-ZZ";;
	esac;;
esac
 
ldapsearch $OPTIONS -H ${uri} \
    -w "${bindpw}" -D "${binddn}" \
    -b "${base}" \
    '(&(objectClass=posixAccount)(uid='"$1"'))' \
    'sshPublicKey' \
    | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Test the script frm the commandline: Call it with an LDAP uid (which is also the UNIX login name) as first commandline argument, it should then return all keys of the given user. Example: /etc/ssh/ldap-keys.sh marc looksup the ssh keys of UNIX user marc in LDAP.

The LPK Patch

At least, there is an actual patch in the bug reports: http://code.google.com/p/openssh-lpk/issues/detail?id=13 (This is a copy of the patch: openssh-lpk-5.9p1.patch)

There is a bug in this patch: Lines 350 and 351 are duplicates, one of them must be removed.

On Ubuntu, there is also an outdated PPA repository that already provides a patched OpenSSH, but not for recent versions:

sudo apt-add-repository ppa:sfire/ssh-lpk
sudo apt-get update

Jenkins Scripts

This is additional detail information on what I exactly did. You don't have to know it unless you want to rebuild the packages yourself.

The packages are built using the following Jenkins bash scripts.

Sources:

The AKC Patch

#!/bin/bash -ex
 
export EMAIL=marc@waeckerlin.org
export NAME="Marc Wäckerlin"
 
renamepackage() {
  from=$1
  to=$2
  for file in $(find debian -name "*${from}*"); do
    mv ${file} ${file//${from}/${to}}
  done
  for file in $(find debian -exec grep -l ${from} {} ';'); do
    sed -i "s/${from}/${to}/g" ${file}
  done
  sed -i "/Package: *${to} *$/,/^$/s/Conflicts:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Replaces:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Provides:.*/&, ${from}/" debian/control
}
 
# add source-repository and install all necessary packages
schroot -c ${distro}_${arch} -u root -d / -- sed -i '/^deb-src/d;/^deb /{p;s/^deb/deb-src/}' /etc/apt/sources.list
schroot -c ${distro}_${arch} -u root -d / -- apt-get update
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes install quilt devscripts
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes build-dep openssh-server
 
# download the sources of openssh-server - not with sudo
apt-get source openssh-server
 
# download the akc patch file
wget -O openssh-akc.patch 'http://marc.wäckerlin.ch/_media/computer/blog/openssh-5.9p1.ubuntu.ack.patch'
 
# go to the downloaded and extracted directory
cd openssh-5.9p1
 
# add the new patch to the build using quilt
quilt push -a || true
quilt new openssh-akc.patch
quilt add $(patch --dry-run -p1 < ../openssh-akc.patch  | sed -n 's,patching file ,,p')
patch -p1 < ../openssh-akc.patch
quilt add configure config.h.in
autoconf
autoheader
quilt refresh
quilt pop -a
# append "confflags += --with-authorized-keys-command" to the deban rules, just after "confflags += --with-pam"
sed -i '/confflags *+= *--with-pam/aconfflags += --with-authorized-keys-command' debian/rules
## refresh configure file before calling configure
#sed -i '/^override_dh_auto_configure:/a\\taclocal && autoconf' debian/rules
# There's a bug in consolekit
sed -i '/confflags *+= *--with-consolekit/d' debian/rules
 
# rename package name to contain akc
renamepackage openssh-server openssh-akc-server
# Fix dependency on openssh-client, so building openssh-akc-client is not necessary
sed -i "/Package: *openssh-akc-server *$/,/^$/s/\(Depends:.*\) openssh-client[^,]*,\(.*\)/\1\2/" debian/control
# otherwise we'd need to provide openssh-akc-client:
#   renamepackage openssh-client openssh-akc-client
 
# Fix (build-) dependencies for old distributions: remove minimal versions
sed -i 's/ (>[^)]*),/,/g' debian/control
 
# create a new build version - enter a change-tect, e.g. "applied akc patch"
debchange -i "apply akc patch"
 
# rebuild debian packages
schroot -p -c ${distro}_${arch} -- debuild -us -uc -i -I

The LPK Patch

#!/bin/bash -ex
 
export EMAIL=marc@waeckerlin.org
export NAME="Marc Wäckerlin"
 
renamepackage() {
  from=$1
  to=$2
  for file in $(find debian -name "*${from}*"); do
    mv ${file} ${file//${from}/${to}}
  done
  for file in $(find debian -exec grep -l ${from} {} ';'); do
    sed -i "s/${from}/${to}/g" ${file}
  done
  sed -i "/Package: *${to} *$/,/^$/s/Conflicts:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Replaces:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Provides:.*/&, ${from}/" debian/control
}
 
# add source-repository and install all necessary packages
schroot -c ${distro}_${arch} -u root -d / -- sed -i '/^deb-src/d;/^deb /{p;s/^deb/deb-src/}' /etc/apt/sources.list
schroot -c ${distro}_${arch} -u root -d / -- apt-get update
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes install quilt devscripts libldap2-dev
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes build-dep openssh-server
 
# download the sources of openssh-server - not with sudo
apt-get source openssh-server
 
# download the lpk patch file
wget -O openssh-lpk.patch 'http://marc.wäckerlin.ch/_media/computer/blog/openssh-lpk-5.9p1.patch'
# bugfix in patch
sed -i '287s/95/94/;350d' openssh-lpk.patch
 
# go to the downloaded and extracted directory
cd openssh-5.9p1
 
# add the new patch to the build using quilt
quilt push -a || true
quilt new openssh-lpk.patch
quilt add $(patch --dry-run -p0 < ../openssh-lpk.patch  | sed -n 's,patching file ./,,p')
patch -p0 < ../openssh-lpk.patch
quilt refresh
quilt pop -a
# append "confflags += --with-ldap" to the deban rules, just after "confflags += --with-pam"
sed -i '/confflags *+= *--with-pam/aconfflags += --with-ldap' debian/rules
 
# rename package name to contain lpk
renamepackage openssh-server openssh-lpk-server
# Fix dependency on openssh-client, so building openssh-lpk-client is not necessary
sed -i "/Package: *openssh-lpk-server *$/,/^$/s/\(Depends:.*\) openssh-client[^,]*,\(.*\)/\1\2/" debian/control
# otherwise we'd need to provide openssh-lpk-client:
#   renamepackage openssh-client openssh-lpk-client
 
# Fix (build-) dependencies for old distributions: remove minimal versions
sed -i 's/ (>[^)]*),/,/g' debian/control
 
# create a new build version - enter a change-tect, e.g. "applied lpk patch"
debchange -i "apply ldap lpk patch"
 
# rebuild debian packages
schroot -p -c ${distro}_${arch} -- debuild -us -uc -i -I
1) The repository supports the following Ubuntu versions (valid in August 2012): precise, oneiric, natty, maverick
2) don't forget to give it executable rights:
sudo chmod ugo+x /etc/ssh/ldap-keys.sh
3) /etc/ldap.conf is configured when you install package setup-ldap-client

Combine PKCS11 (SuisseID) and SSH

It would be nice to secure an SSH login with a PKCS#11 hardware token, such as SuisseID.

If you have got your SuisseID on an USB-Stick and installed the Linux Post SuisseID Software, it is extremly simple:

  1. Activate the PKCS#11 library:
    ssh-add -s /usr/lib/libcvP11.so
  2. Exchange public PKCS#11 key with server:
    ssh-copy-id remote.server.url

Then you can ssh-login to host remote.server.url with your SuisseID.

user@host1:~$ ssh-add -s /usr/lib/libcvP11.so 
Enter passphrase for PKCS#11: 
Card added: /usr/lib/libcvP11.so
user@host1:~$ ssh-copy-id host2
user@host2's password: 
Now try logging into the machine, with "ssh 'host2'", and check in:
 
  ~/.ssh/authorized_keys
 
to make sure we haven't added extra keys that you weren't expecting.
 
user@host1:~$ ssh host2
user@host2:~$

Install SwissSign SSL Server Certificate in Apache

Install Apache (Ubuntu)

Install and enable Apache and SSL module on your computer, i.e. on Ubuntu:

  • sudo apt-get install apache2

If SSL is not yet enabled, (i.e. file /etc/apache2/mods-enabled/ssl.load does not exist or is not a link to /etc/apache2/mods-available/ssl.load), enable the ssl module:

  • sudo a2enmod ssl

Enable the default SSL configuration, this links the existing file /etc/apache2/sites-available/default-ssl to /etc/apache2/sites-enabled/default-ssl (if on your system, the example configuration has another name, just use that instead of default-ssl):

  • sudo a2ensite default-ssl

Configure Apache

Edit the configuration file, e.g. /etc/apache2/sites-enabled/default-ssl:

Change the following lines (use your certificate filename instead of filename):

Old Value
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
New Value
SSLCertificateFile /etc/ssl/certs/filename.pem
SSLCertificateKeyFile /etc/ssl/private/filename.key
SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

Install Certificate and Key

If you download you certificate from http://SwissSign.com, it is a *.p12-file (in PKCS#12 format). For Installation in Apache you need to split it into a key and certificate file.

In this tutorial, the filename of the downloaded certificate is filename.p12.

Get the plain keyfile (without password encryption) and the certificate from the PKCS#12 file:

  • openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
  • openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
  • openssl pkcs12 -in filename.p12 -out server-ca.crt -nodes -nokeys -cacerts

Move the files into the Apache configuration:

  • sudo mv filename.pem /etc/ssl/certs/
  • sudo mv filename.key /etc/ssl/private/
  • sudo mkdir /etc/apache2/ssl.crt/
  • sudo mv server-ca.crt /etc/apache2/ssl.crt/

Reload Apache - Done!

Reload the apache configuration and you're already done:

  • sudo service apache2 reload

Remember: OpenSSL Certificate Conversions

Extract Client Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
Extract CA Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -cacerts
Extract Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
Extract Password Encrypted Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nocerts
Change PKCS#12 Password:
openssl pkcs12 -in old-filename.p12 -nodes > x && openssl pkcs12 -export -in x -out new-filename.p12; rm x
Generate PKCS#12 File from Key and Certificate Files:
openssl pkcs12 -export -in filename.pem -inkey filename.key -out filename.p12
Download certificate with Certificate Encoding PEM, deselect PKCS#7 Format and select Include Certificate Chain.